Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29757
HistorySep 09, 2013 - 12:00 a.m.

Joomla! VirtueMart component <= 2.0.22a - SQL Injection

2013-09-0900:00:00
vulners.com
99
JSON

Joomla! VirtueMart component <= 2.0.22a - SQL Injection

== Description ==

  • Software link: http://www.virtuemart.net/
  • Affected versions: All versions between 2.0.8 and 2.0.22a are vulnerable.
  • Vulnerability discovered by: Matias Fontanini

== Vulnerability ==
The vulnerability is located in the "user" controller, "removeAddressST" task. The "virtuemart_userinfo_id" parameter is not properly sanitized before being used in the "DELETE" query performed in it, allowing the execution of arbitrary SQL queries.

In order to exploit the vulnerability, an attacker must be authenticated as a customer in the application. However, since the system allows free account registration, this is not a problem.

== Proof of concept ==
The following example URL uses the MySQL "sleep" function through the injection:

http://example.com/index.php?option=com_virtuemart&amp;view=user&amp;task=removeAddressST&amp;virtuemart_userinfo_id=16&#37;22&#37;20and&#37;20sleep&#40;10&#41;&#37;20and&#37;20&#37;22&#37;22&#37;3D&#37;22

== Solution ==
Upgrade the product to the 2.0.22b version.

== Report timeline ==
[2013-08-15] Vulnerability reported to vendor.
[2013-08-16] Developers answered back.
[2013-08-22] VirtueMart 2.0.22b was released, which fixes the the reported issue.
[2013-08-22] Public disclosure.

JSON